IS AUTHORIZATION REQUIRED TO SHARE INFORMATION WITH 


PUBLIC HEALTH? 
The Privacy Rule provides for a number of situations in which protected health information 
may be shared without an individual’s authorization. 


45 CFR 164.512, provides “A covered entity may use or disclose protected health 
information without written authorization of the individual, as described in §164.508, or the 
opportunity for the individual to agree object as described in §164.510, in the situations 
covered in this section, subject to the applicable requirements of this section...” 


Such as the following situations: 


Uses and disclosures required by law. A covered entity may use or disclose protected 
health information to the extent that such use or disclosure is required by law and the 
use or disclosure complies with and is limited to the relevant requirements of such law. 
(See 45 CFR §164.512(a)(1)). 


Uses and disclosures for public health activities. A covered entity may disclose 

protected health information for the public health activities and purposes to: 

> A public health authority that is authorized by law to collect or receive such 
information for the purpose of preventing or controlling disease, injury, or disability, 
including, but not limited to, the reporting of disease, injury, vital events such as 
birth or death, and the conduct of public health surveillance, public health 
investigations, and public health interventions. (See 45 CFR §164.512(b)(1)(i)). 


> A public health authority or other appropriate government authority authorized by 
law to receive reports of child abuse or neglect. (See 45 CFR §164.512(b)(1)(ii)). 


> Aperson subject to the jurisdiction of the Food and Drug Administration (FDA) with 
respect to an FDA-regulated product or activity, for the purpose of activities related 
to quality, safety or effectiveness of such FDA-regulated product or activity. (See 45 
CFR §164.512(b)(1)(iii)). 

> Aperson who may have been exposed to a communicable disease or may 
otherwise be at risk of contracting or spreading a disease or condition, if covered 
entity or public health authority is authorized by law to notify such person as 
necessary in the conduct of a public health intervention or investigation. (See 45 
CFR §164.512(b)(1)(iv)). 


> Workplace medical surveillance. (See 45 CFR §164.512(b)(1)(v)). 


Covered entities that are also public health authorities may use, as well as disclose, 
protected health information for the public health purpose provided in 45 CFR 
§164.512(b)(1). (See 45 CFR §164.512(b)(2)). 


Resources: 


- HIPAA Administrative Simplification 
Statute and Rules 
are found at 45 C.F.R. Parts 160, 
162, and 164. 
https://www.hhs.gov/hipaa/ 
for-professionals/index.html. 


- Unofficial Version of the 
Combined Regulation 
text, as amended in March, 2013 
is available at 
https://www.hhs.gov/sites/default/files/ 
hipaa-simplification-201303.pdf. 


- The U.S. Department of Health 
and Human Services, 

Office for Civil Rights (OCR) 
enforces the HIPAA Privacy and 
Security Rules. The OCR issues 
guidance on the HIPAA Privacy 
and Security Rules, available at 

https://www.hhs.gov/hipaa/index.html. 


Department of Health 
and Senior Services 


Missouri Department of Health 
and Senior Services 
P.O. Box 570 
Jefferson City, MO 65102 


Alternate forms of this publication for persons with 
disabilities may be obtained by contacting the 
Missouri Department of Health and Senior Services 
at 573-751-6005. 


An EO/AA employer: Services provided on a 
nondiscriminatory basis. Individuals who are deaf, 
hard-of-hearing, or have a speech disability 
can dial 711 or 1-800-735-2966. 
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This brochure is not intended to serve as legal advice, nor 
should it be considered an endorsement of the resources 
provided. If you have questions, be sure to contact your 
legal counsel to determine your own compliance with the law 
and appropriate policies and procedures. 


The Health Insurance Portability and 
Accountability Act of 1996 (HIPAA), 
Public Law 104-191, was established to 
improve the efficiency and effectiveness 
of the health care system in the United 
States included the Administrative 
Simplification provisions that establish 
standards and protections for health care 
systems. To implement the statute the 
U.S. Department of Health and Human 
Services (HHS) published a series of 
rules: 
¢ Privacy Rule 

Governing the confidentiality of 

protected health information. 


e« Security Rule 
Governing the security and 
confidentiality of health information in 
electronic form. 


¢ Transaction and Code Set Rule 
Governing the electronic transmission 
of health information and standardizing 
the billing codes for services. 


¢ Enforcement Rule 
Provides standards for the 
enforcement of all the Administrative 
Simplification Rules. 


e National Provider Identifier Rule 
Establishing a system for uniquely 
identifying all covered health care 
providers. 


¢ The Health Information Technology 
for Economic and Clinical Health 
(HITECH) Act 
Strengthens the privacy and security 
protections for health information 
established under HIPAA. 


PRIVACY RULE’S IMPACT 
ON PUBLIC HEALTH 


The HIPAA Privacy Rule establishes 
a set of standards for protected health 
information. The Privacy Rule covers 
the use and disclosure of protected 
health information of individuals and 
their privacy rights. A goal of the 
Privacy Rule is to allow the flow of 
health information needed to provide 
and promote health care and protect 
the public’s health and well-being, 
while protecting the individual’s health 
information. 


While the Privacy Rule limits the 
sharing of protected health information, 
the Privacy Rule permits covered 
entities to disclose protected health 
information to public health authorities 
that are authorized by law to collect or 
receive such information to carry out 
their public health mission of protecting 
the health and safety of the public. 


Public health reports made by covered 
entities is a vital way of identifying 
public health and safety threats. As 
such, the Privacy Rule allows covered 
entities to disclose protected health 
information without authorization for 
specified public health purposes. 


health.mo.gov 


Key HIPAA Terms 


Public Health Authority 

An agency or authority of the United 
States, a State, a territory, a political 
subdivision of a State or territory, or 
an Indian tribe, or a person or entity 
acting under a grant of authority from 
or contract with such public agency, 
including the employees or agents of 
such public agency or its contractors 
or persons or entities to whom it has 
granted authority, that is responsible 
for public health matters as part of 
its official mandate. (See 45 CFR 
§164.501). 


Covered Entity 

A health plan, health care 
clearinghouse, or health care provider 
who transmits any health information 
in electronic form in connection with 
transactions for which HHS has 
adopted standards. 


Protected Health Information 
(PHI) 

All individually identifiable health 
information held or transmitted by 

a covered entity or its business 
associate, in any form or media, 
whether electronic, paper, or oral. 


Authorization 

Detailed document containing the 
required elements of the Privacy Rule, 
completed by the individual authorizing 
a covered entity to disclose specified 
protected health information to a third 
party for specified purposes. 


DISCLOSURES REQUIRED BY 
MISSOURI LAW 


In Missouri, there are a number of disclosures that 
health care providers are required by law to make. 


These mandatory disclosures are not changed by HIPAA. 


For example, hospitals/physicians must 
share information with the Missouri 
Department of Health and Senior Services 
(DHSS) for: communicable, environmental 
and occupational disease reporting (19 
CSR 20-20.020); epidemiological studies 
(§192.067, RSMo); information about 
infant metabolic and genetic screenings 
(§191.331, RSMo); and information 

about quality of care and access to 

care (§192.068, RSMo). The provided 
examples are not a complete list of 
mandatory disclosures that health care 
providers are required to make. 


The information gathered from required 
disclosures is still confidential. 

There are corresponding confidentiality 
requirements for the disclosures. 
§192.067, RSMo requires that DHSS 
maintain confidentiality of information 
gathered from patients’ medical records. 
This information can be released only 

in aggregate form that prevents the 
identification of a patient or physician, 
unless that information is being shared 
with another public health authority. 
§192.317, RSMo protects the information 
DHSS gains about infant metabolic and 
genetic screenings. §192.068, RSMo 
provides that quality of care data is not 
classified as public information, and 
cannot be released in a way that identifies 
any patient. 


